Multi user support in Puppy and Grafpup Linux - my thoughts
This subject eternally comes up on the Puppy Linux forum and I have grown somewhat tired of the same things being said about it. There is in my opinion a large amount of misinformation floating around about the root account, su, sudo, and security of the above. I thought it would be nice to put my thoughts down on a page and then whenever the subject comes up again I could just link to it and say “Look HERE”, rather than trying to explain the same concepts over and over again.
First off, Linux is by it’s very nature a multi-user system. It is designed that way from the kernel level on up. If you build a distribution from scratch using source code it will be by default multi-user, unless you make changes on purpose to alter that fact. Windows started out life as the opposite, a single user system which the developers have been trying for the last decade or so to turn into a secure, multi-user system.
A lot of people have decried Puppy Linux for running as the root account. But the reasons they give often show a misunderstanding of why the root account can be dangerous. As computer users a hacked system is not always our biggest concern in my opinion. Nor is user error the biggest concern. How many people have actually typed in “rm -R /” into a shell? It just doesn’t really come up as often as the tinfoil hat crowd would have you believe.
Actually, what Windows has proved, if anything, is that it is irresponsible programmers, not users, who pose the most threat to the security of your computer. Especially when those programmers are operating in a closed source, closed door environment with nobody reviewing their code. 99% of the programming done for Windows will try to make system wide changes when it installs onto your computer. In most cases this amounts to little things like changing file associations, so that when you install Joe’s supremely stupid image editor all of a sudden every image file known to man appears on your computer as a Joe’s Image file and opens with Joe’s piece of garbage, which you then will decide to uninstall and spend weeks trying to get your image files to open in Photoshop like they did before. A lot of people have experienced this. And every two bit programmer out there thinks their POS program deserves a desktop icon as well as a link in the quick launcher, and space (not to mention cpu cycles) to have it ready to go, running in your system tray the moment you start your computer. It wouldn’t be Windows without ten popup messages every time you turn it on, informing you that your computer is not protected.
But often the security flaws were much, much more insidious. The supreme example was ActiveX, which allowed at one time almost any kind of code to be run on your computer, often with administrator rights, just by surfing to the wrong web page. This is the actual reason the root account is dangerous, because you should know what programs your computer is running. Microsoft created a culture where any programmer could run any code on any system and none of their users were informed enough to know what was actually taking place on their own computers. YOU SHOULD KNOW AND CARE WHAT YOUR COMPUTER IS DOING!!!!!!!!!! Funny actually, when they finally locked down the system somewhat all they managed was to take administration rights away from the USER, but continued to allow the idiot programmers to run thier POS programs as administrator until this lovely thing called Vista finally arrived.
The average Linux user is, by all accounts, much more informed than the average Windows user. There are of course exceptions, but by and large this generalization holds true. And 90% of the programs that run on the worlds Linux boxes are completely open source, so anybody with some initiative can learn exactly what it is they are doing on your system. Not many do, but enough have over the years that the code is pretty thoroughly reviewed. And we share efforts a lot with the BSD folks, who go through the code even more thoroughly than us Linux geeks. Install the average Linux program and you’re LUCKY if you get even a menu entry, let alone a desktop icon, quicklaunch icon, and system tray icon. In fact, you may search half a day before you figure out how to get it to run at all, as opposed to those nice folks in the Windows world who will make sure that you spend the next six months trying to figure out how to turn OFF their wonderful little piece of software and stop it from annoying you at every bootup. Oh, and using up every bit of real estate in your browser window because you needed an extra IE toolbar, didn’t you?
Here’s my point - the users are not the evil ones. They are not the ones who need to be kept from harming their systems. They should be empowered to make decisions about how their computers operate, and have the right to decide what programs run on the machines they paid for and how they run. I will repeat this part - they should be empowered.
How do I relate this to Puppy and Grafpup? Well I wouldn’t have gone to all the effort of converting the legacy scripts from Puppy into multi-user capable code if I didn’t think there were cases where that was desirable. I want the owner of that computer to be able to choose how they want it to run. I’m not going to dictate how they should run their computer, I’m not that egocentric. I like Puppy Linux. A lot. And I feel perfectly safe browsing the web using Puppy because I know what I’m doing, I know I’m using browsers that are by nature more secure than IE (not hard to accomplish), and I know that the system I’m using is not a popular target. And even if it were, the development proceeds at such a breakneck pace that it has the nature of a chameleon.
My reasons for wanting nonroot user accounts are more about convenience. I have five kids, and three of them are of an age that computer use is a regular activity. We are not wealthy enough that each person has their own computer, so individual accounts make it easier to segregate email, web bookmarks, etc. And it keeps my kids from installing software I don’t want on my computer. For instance, flash 9 still crashes the browser on an awful lot of sites. It’s a total piece of crap and I don’t want it installed system wide. They can easily install it in their own user account and play their web-based games, and watch youtube, etc. without crippling my ability to log into online banking. And I can easily monitor what they have been doing because I HAVE ROOT ACCESS. And even if they delete their browsing history I can access it through our router, which they do not have the password to.
Let me comment on a few other related issues. Ubuntu has purposely crippled the ability to log in as root, and instead has configured sudo so that one user can run ANY command as superuser by typing their password. Well, in that case that one user is for all intents and purposes root. This is circular logic that really makes no sense and it is definately not how sudo was intended to be used. Futhermore it has lead a lot of people to the conclusion that sudo is insecure and to be avoided. This is patently false.
Sudo is, by nature, not any more or any less secure than most other pieces of software. It is actually more secure than su, because to use su you have to know the root password and then you can run any command you wish as superuser. Sudo is intended to allow the system administrator, who should know a little about what they are doing, the convenience of letting other users run a carefully selected group of commands with root priviledges. You cannot, as people keep falsely claiming, “sudo su” and so become root. That capability was thought about a long, long time ago and disabled at the source code level. I know this having compiled sudo from source, installed it, and configured it to suit my taste. It is an extremely useful piece of software that just takes a little care and thought when it is being set up.
The only time sudo becomes an insecure piece of software is when some idiot misconfigures it in a way which will allow a user to escape to a shell as root. For instance allowing sudo to be used to open a file manager, from which they can then launch any program they wish by clicking on the executable in the bin directory. Including, say, Xterm or rxvt. Or, by being Ubuntu. To be fair, you can set up a lot of other users in Ubuntu which will not have the ability to run commands using sudo, and those users will be safe from worrying about accidentally typing “rm -R /”, so they can sleep at night. But they are just providing the illusion of not allowing a root login, by abusing and misconfiguring sudo in a way that it’s developers never intended for it to be used. It is almost akin to a PR stunt. They can claim to be more secure because there is no root login. Well, like I said, that first user may as well BE root.
Another issue which is constantly misrepresented is that of running servers in Puppy. The Apache web server runs by default as the user “nobody” or “daemon”. MySQL runs as the user “mysql” on most systems. Almost all servers behave similarly. Only a handful actually run as root. All of these servers require root access to be started, regardless of whether they are being started in Puppy, Grafpup, or OpenBSD for that matter, but then discard their superuser powers immediately and become another user for security’s sake. So running a server using Puppy is exactly the same as running a server in any other *nix assuming they are configured in a similar manner. It has absolutely NOTHING to do with whether X is being run as root or as nonroot. Apache will not, WILL NOT, run as root. You cannot force it to do so without altering the source code. I ran http, ftp, pop, smtp, and ssh servers from a Puppy box for almost three years, over the public internet, without ever coming close to being compromised. The idea just doesn’t bother me at all, any more so than it would if I were using Debian, Slackware, or a BSD.
On the flip side, people are constantly asking on the Puppy forum how to set up regular user logins, and an awful lot of folks have griped about how this should be a simple matter to accomplish and why don’t we developers get off our lazy arses and write the two to three lines of code which will make is possible. Well, speaking as the first person who did just that, all the way, I can tell you it is not in any way trivial. The amount of changes that had to be made were enormous, and every new program written for Puppy has to be gone over with a fine tooth comb to determine whether or not it will run without root access in Grafpup. It was so much work that there is just no way I will ever go back, because I now have too much invested in it.
At the same time there are those who think that writing code to play nice with non-root users is hard, or that it gets in the way of the user. This is not true either. There are only a handful of habits which need to be changed, such as hard coding in /root rather than using $HOME, or leaving files laying around in /tmp, which other users cannot overwrite or delete and thus cannot run your little program once it has been run by another user. These are not difficult adjustments to make once the hard work of the initial conversion has been done. It is a matter of maintaining good coding standards, and furthermore it gives a wider possible audience for your programming because it can then be ported for use in other distributions besides Puppy.
Do I think Puppy should support multiple user accounts? No, but Grafpup will continue to do so and there is a possibility that more such efforts will be spawned. I know of several already. It would be nice if those developing applications for Puppy would give a thought to whether their program would work if launched by a non-root user, but I will adjust as needed and give advice where I think it is neccessary. I have a fundamental difference of opinion with Barry Kauler about a few things relating to the design of the distribution, but they do not detract from my extreme admiration for what he has accomplished with Puppy Linux and how useful it is to so many people. So much so that even though it causes me more work I will continue to syncronize with Puppy from time to time and put in extra work to make sure that my programming can benefit the development of Puppy as a whole. I’ve thrown my lot in with Puppy and that is probably where it will stay for some time.